Wordpress Security Hacks

Wordpress Security should be on your mind if you have a wordpress site. 99% of wordpress installations are not secure, especially if they are on a shared hosting solution.

Wordpress Security Hacks

Here are a few ways you can secure your wordpress installation a bit more than the “other guy”. Generally unless there is some reason why you are being attacked, vandals go to the easiest targets instead of trying to break down your wordpress security.

For most people this article is over their heads – so don’t feel bad if you don’t know how or want to learn how to do this. Regardless, here is how you can make your WP installation more secure:

Get this free plugin

http://wordpress.org/extend/plugins/wp-security-scan/, it will help with automatically identifying some of the areas that have issues.

Update wordpress

disable your plugins, backup your database, and do the auto upgrade, reactivate your plugins one at a time after the upgrade.

Use Strong Passwords

‘apple’ is a bad password because it’s in the dictionary. A good password uses a combination of Upper/Lower Case, Numbers/Letters/Symbols, does not repeat, and is not found in the dictionary. I like to use Al+kM&aLKh0rs3s (All the King’s Men and All the Kings Horses), or similar obscure, but meaningful to me passwords.

Delete the Admin Account

As an admin, create a new admin account and delete the “Admin” account. If hackers don’t know the admin account, it’s much harder for them to attack. Don’t forget to attribute all posts to the new admin (which has a non “admin like” name).

Rename Admin User

Use phpmyadmin, or whatever your mySQL editor is and click on the “users” table, then change the login name to something other than “admin”.

Use Blank index Pages

A simple blank index pages in directories that you don’t want people to browse, and configuring apache to not show directory listings is a good idea. People can’t hack what they can’t find. You can add “Options All -Indexes” in either your apache conf, or .htaccess files.

Limit Login Attempts

http://wordpress.org/extend/plugins/login-lockdown/ or http://devel.kostdoktorn.se/limit-login-attempts/ will block a login for a set time if they fail logins too much. This is a simple plugin that is easier to use than configuring password authentication via apache.

Use Odd WP Table Prefixes

The default table prefix for wordpress is wp_. Change this to something else to make a hacker’s job that much harder to guess your database structure.

Hide Login Error Messages

Add this to the functions.php to limit the detailed error messages on failed login attempts: add_filter(‘login_errors’,create_function(‘$a’, “return null;”)); If the hacker doesn’t know why their password attempt is failing, it’s harder to “fix it”.

Use SSL for Logins

instead of logging in at http://site.com/wp-admin/ login at https://site.com/wp-admin/. SSL certificates can be either self signed, or purchased cheaply ($15 for a year). There is no excuse for sending your login and password in plain text across the internet! You will need a dedicated IP address to do this, but it’s well worth it.

Limit acccess to only YOUR IP address

Again either htaccess or apache config, protect your wp-admin folder (or any folder that is important to protect)

<Location /wp-admin>
Order deny,allow
Deny from all
Allow from 71.72.73.74
</Location>